The large HOST/HELO count sounds a little like someone was either trying to relay mail through your box - or they were doing a dictionary attack trying to guess at email addresses for your network. I see that occasionally and they result is that they burn up bandwidth. For that reason I deliberately limited the number of HOST/HELO sessions that could be active. For me with a small network 15 or 20 inbound connections at any point is VERY HIGH. If you have turned on detailed and extended logging - you can see this as the session count climbs for example:

The large count could also becaused if a spammer is using your domain name as part of their return address for their spam. They fire off lots of garbage and your box is hit with all the Non-Delivery-Records that are reflected to your machine. Again another good reason to limit HOST/HELO connections, active HOST connections and HOST/HELO NDR connections.

I've never seen a session count above 5 for normal e-mail. But I have seen the count go quite high during dictionary attacks before I added limits... I doubled the typical session peak for ordinary emails and that limited my connections to 10. Small for many businesses. BUT in my case it helps throttle back the spammers.

I run a small network and have a small e-mail load -- so my settings reflect that... Since you've had NST for a while now... you should be able to take a look at your history from the daily reports or the logfiles and see if you are having an attack and/or adjust your limits..